A recent research paper resurrects the idea of “security by obscurity.” A notion I’ve been fighting for decades. (e.g. in The Transparent Society). The basic idea is that you will better thrive by hiding information from your foes/competitors/rivals, even if this accelerates an arms race of obscurity and spying, creating a secular trend towards ever-reduced transparency.

Now, I want to talk about a special case in which my objection – still strong in principle – is softened by pragmatic arguments. In Gaming Security through Obscurity, Dusko Pavlovic contends that you can improve system security by making it hard to find out how the system works. This concept is familiar to computer programmers: On I, Programmer, Alex Armstrong explains, “Your code can be disassembled and decompiled and in many cases, a well written program is much easier to reverse engineer. The solution generally adopted is not to write a bad program but to use “obfuscation” as a final step. That is, take a good clear program and perform a range of syntactic transformations on it to make it a mess that is so much more difficult to read and therefore to reverse engineer.”

In cryptography, Kerckhoff’s Principle says that a system should be secure even if everything is known about it, formulated by Claude Shannon as “The enemy knows the system.” This stands in contrast to security by obscurity. (Thanks to xkcd for the cartoon!) The recent paper by Dusko Pavlovic suggests that security is a game of incomplete information and the more you can do to keep your opponent in the dark, the better.

Now there’s a lot of misleading discussion about this, so, if you are expecting “Mr. Transparency” be all up in arms over this, you are mistaken. What is at issue here is fundamentally the question of the ZERO SUM GAME.

(First, look up the concept of zero-sum and positive sum or win-win games. It is probably the most vital idea you could possibly own in your head and being able to tell these things apart should be a pass-fail requirement for citizenship.)

Most human beings used to live pretty much zero-sum existences. If you wanted to get ahead in the world, you needed to win points by causing your enemy to lose. This applied when it came to mate-seeking, food-seeking, heck at almost any level. Tribes and societies formed in order to eke a small surplus that might go to positive-sum activities like irrigation and libraries, but the pyramid-shaped, inheritance-based oligarchies that ruled them made sure there were winners above and losers below. And when it came to human inventiveness, clever craft workers knew — if you discover a better way to do something, keep it secret or you’ll lose every advantage. Why do you think the Baghdad battery, the Antikythera Device, and the wondrous steam engines of Heron all vanished, to be forgotten and lost to progress?

The Enlightenment’s core discovery was the positive-sum game… ways that democracy, markets and science can “float all boats,” so that even those who aren’t top-winners can still see things get better, overall, year after year — leading to the diamond-shaped social structure we discussed in an earlier post (last week), with a vibrant and creative middle class outnumbering the poor.

This dream did not come true by emphasizing cooperation alone, though cooperation is an ingredient. Just as important is competition, nature’s great locus of innovation and the driver of evolution. But it has to be regulated and carefully tuned. If competition results in a new oligarchy, you get right back to the pyramid again, with topmost cheaters restoring zero-sum thinking, and everybody loses. Look at 6000 years of history, fer gosh sakes.

One of the most ingenious “regulations” — supported by Adam Smith and Ben Franklin etc, — was the notion of intellectual property or IP. Patents and copyrights were never intended to mean “I own that idea!” No, intellectual property was born entirely as a pragmatic tweak, offering creative people a subsidy in order to draw them into openly sharing their discoveries… so that others might use and improve them and we get the virtuous cycle of positive-sum improvements, ever-accelerating knowledge, skill and wealth.

Let there be no mistake. That is one of many ways that regulated competition delivers on the promise of markets and Smithian capitalism vastly and demonstrably far better than anything that ever resembled laissez faire or Randian cannibalism festivals.

Which brings us full circle to Pavlovic’s paper and the storm of simple-minded misinterpretations that are going around. As you’d expect, my initial reaction was “bullshit!” In The Transparent Society I show mountains of evidence that we’re all better off in an increasingly open world. All of our positive-sum Enlightenment “arenas” — Democracy, Markets, Science etc — are healthy precisely in proportion to the degree that all participants know what’s going on so they can make well-informed decisions and choose better products.

Even when it comes to security, we should all be aware of how the dream of Dwight Eisenhower finally came true, after Sputnik, when spy satellites flew around the globe taking pictures… and it did not trigger a third world war. Rather, Ike’s “Open Skies” helped to prevent war, to calm the arms race, to save us all.

Yet, I willingly accept the validity of Pavlovic’s paper, in the limited context that he chooses. True, a positive sum game is nearly always better than a zero sum… or a sick negative sum game. And true security will only really happen for us all when the world is so awash in light that thieves and oppressors generally get caught and deterrence reigns. Transparency isn’t a naive, utopian dream. It is empowerment of all, so that reciprocal accountability keeps the cycles virtuous. It is the Enlightenment’s core.

But Pavlovic is describing a specialized case. A situation in which things are already decidedly zero sum. In which your company knows that its competitors cheat. They steal IP and our Enlightenment civilization is all too often failing to do anything about it. As America and other western nations are failing miserably to protect western IP… the goose that lays the world’s golden eggs.

Reciprocity has broken down and with IP no longer protected, innovators must fall back on the old ways. Concealment. Trade secrets. Squirreling away your tricks so the other guy won’t get to copy them.

Overall, that is the world we’re heading back toward, for a number of reasons. Because certain countries and companies are rampant intellectual property thieves. Because Western leaders won’t act to stop it. Because some western mystics and idiotic “legal scholars” actually believe that IP is based on principles of palpable ownership, and thus secrecy is somehow equivalent to patent declaration, instead of its diametric opposite!

And because life is still life. Even in the context of a positive-sum civilization, you and your company may find yourselves in a zero or negative sum situation, needing to protect — with “obscurity” — the code tricks that you feel you have a right to benefit from.

Let there be no doubt, the prescription is a nasty and ugly one. Deliberately flood your own code with so much spurious junk that a competitor will be rendered clueless and unable to reverse engineer it? This may be an effective short term tactic, but it will also result in — well — junk-filled code! Harder for YOU to engineer and repair. Or to benefit from crowd-sourced improvements. Sluggish and inherently inefficient.

This is a different matter than slipping in Tattler Code… segments that reveal if a competitor stole or copied from you. Even segments that go online and tattle when the code is run! These are clever, legal, and involve transparency of a sort! A searinglight of accountability that seems a lot like an immune system, at work.

I could go on. But swamped, I’ll leave it there. Except to add this:

Fight for a civilization that becomes more filled with light, wherein competition isn’t cut-throat, but simply the way that people like you and me and Steve Jobs get the best out of ourselves! I push transparency as the most-frequently applicable medicine. But even more important is to stay calm, and understand what we should defend.

And defend it.

====

Remember – I’ll be holding an open house meet-up in New York City on Monday, October 17, at around 8:30pm at O’Reilly’s, 21 W 35th St. (upstairs: byo-drinks.) An informal gathering of folks who love the future, sci fi or just lots of talk! (If you really like all those things, then check out the Singularity Summit in NYC. I’m speaking on October 16.

I’ll also be the Guest of Contraflow, the New Orleans science fiction convention:November 4-6. Join us if you’re in the area!

The situation that you describe is a variant of the Prisoner’s Dilemma. In a transparent society, a temporary advantage can be gained by making your stuff non-transparent. That then leads to retaliation and a rapid descent into a non-transparent society.

A practical ANALOGY in example, I’m freelancer for an online game vendor. My job is to hack their games either flash/xml delivered to clients or server sided, finding holes, glitches and exploits, then send reports.

This game vendor applying FULL transparency to their AMF HTTP requests/responses. So that competitors and players could easily read all human readable tokens. It’s fully bare naked.
Vendor only rely on server sided validation filtering. All incoming HTTP requests being validated, to reject infiltration, to allow legit.

When a hole is found (potentially to be screwed), it’s not always or immediately patched. I know they just let the exploit/glitch spreading, for following reasons,
–the cheater amount are not significant enough to disturb vendor (some million loss to in-hand billion of profit),
–they steal in-game cash, virtual goods, most of them do it because of they simply cannot afford it, it’s useless to enforce them to buy,
–other side, vendor gains two main advantages from this cheaters, (a) adding to the DAU/MAU (daily/monthly average users), and (b) free evangelists, they post free advertising to their public wall feed (also online blogs, forums), teasing other non-players to become new players.

When in last 2010 an exploit gradually became uncontrollable, massive amount of players was involved. I could count $billion damage. ($10 for 80 ingame cash, while by bot each 10 minutes a single player was able to get free ~50-100cash from the exploit. 100K cheaters x $10 x 6-times/hour = $6000K/hour potential losses) Vendor soon patched the exploit, several too much greedy players being banned, the others got rolling back. (see allbots et.al, cr,ch,cf,cm,L…)

—-
IP can’t be expected to be 100% secure, it’s too heavenly.
UPGRADE the LAWS (or the cooperative agreements), so that it remains transparent, but also naturally guaranteeing to MINIMIZE damage by cheaters.
—-

Software obsfucation is not always by inserting garbage codes. Now, a lot of vendors use keyed encryption to obsfucate pre-released codes. Zend is an example. It can be said a clean obsfucation. Each client must have a unique key lib in order to run it. Software is hard to be decompiled (reverse engineered), but it’s only “hard”, not “impossibility”. Dechipering, sniffering, debugging tools are widely available.

Yes actually it’s still *IMPLICITLY* transparent for a positive sum gaming and also to be cheated.

Additional unique key make it has what it’s said as Kerckhoff’s principle. Vendor can even add Tattler code, so it’s a multi layer security, in order to keep positive sum in case be cheated. Then it’s an example of the DARK one.
But again, Tattler code and that Kerckhoff’s principle are also easily being hacked because clients still have control over it. Cheaters could debug runtime codes. Hence all pirated MS Windows versions are available for $0.5 – $1 in DVD, worldwide exclude western countries.

SOFTWARE AS A SERVICE (SaaS) running server sided also an example analogy, how Intellectual Property could be protected (for the special case), while keeping transparencies.
Only the services in hidden inside server, but all the secret codes are widely opened, freely available in academic/professional books and/or Internet. They (SaaS vendors) offer value-added services, every competitors can offer the same services, it’s the value-added services make them different.

FREECONOMIC and FREEMIUM are other examples.
With side notes, it’s already well known that most of open source softwares always at last being lack of support and continuity.

Those are examples on how *COMPARATIVE ADVANTAGES* should be kept, always keep the pace one step ahead.
When then the others being capable to steal/duplicate, it’s already a relative obsolete tech, or you’re already too big to be defeated.

This didn’t leave me with a clear sense of what it is that you regard as the primary threat. Is it simple IP theft (in the Chinese knock-off sense), or is it a youthful hacker misinterpretation of “information wants to be free”, or is it something else? One thing that interests me about this is that my father was a patent attorney, and had he ever spoken so lucidly about the contribution of IP law to the advance of civilization, he’d have gotten my attention. Like many, I’ve spent the last several decades believing that IP law is TOO vigorously applied in software, and many of the software patents too trivial, and that the rise of open source software brings hope to the table, even while it lowers engineers’ salaries. What would probably help would be patents whose term is not fixed, as 20 years really is too long in the software world, but was entirely appropriate for mechanical inventions of the 18th and 19th centuries. Either that, or we need patent examiners to award patents only for really substantive inventions.

The central proposition of this article is the patent angle on the standard IP rationale: that disclosure is increased compared with a non-patent system, and that the benefit of inducing disclosure outweighs the detriment of a quasi-monopoly market. But there are some questions for such a hypothesis.

First, it somewhat presupposes that a significant proportion of inventions *can* be concealed. Is that true? Second, it somewhat presupposes that inventors will, a significant proportion of times, agree to the bargain of IP: but consider, if an invention can be concealed anyway for longer than IP monopoly terms, why would the inventor sign-away that extra advantage? Third, that commercial competition (for customers) is a zero-sum game does not imply the particular tactic of IP: if an inventor can win sufficiently by other means, would they still choose the costs of concealment?

Lastly, it is in the end a matter of weighing things up, and nothing much supports it: as Landes & Posner say: “Economic analysis has come up short of providing either theoretical or empirical grounds for assessing the overall effect of intellectual property law on economic welfare.” — ‘The economic structure of intellectual property law'; Landes, Posner; 2003. That is, no-one knows if it does any good overall.

But the real question is the one people rarely notice has been missed. The choice is not IP or no IP: it is what *new* *better* system can be devised given current technology . . .

Author, Futurist, Scientist

How will we shape the future - how will the future shape us?

My novels explore humanity's role in an ever-changing world. Existence asks if we're alone in the cosmos and offers a unique take on First Contact. Earth foresaw cyber-warfare and global warming. The Postman showed a post-apocalyptic world in which heroes are called upon to restore civilization. The Transparent Society discusses how we can we balance privacy, secrecy and freedom..I speak frequently about the fascinating future that lies just beyond this horizon.

Now only 99 cents!

Categories

"Change is the principal feature of our age and literature should explore how people deal with it. The best science fiction does that, head-on." --David Brin

"For we already live in the openness experiment, and have for two hundred years. It is called the Enlightenment -- with "light" both a core word and a key concept in our turn away from 4,000 years of feudalism. All of the great enlightenment arenas -- markets, science and democracy -- flourish in direct proportion to how much their players (consumers, scientists and voters) know, in order to make good decisions. To whatever extent these arenas get clogged by secrecy, they fail." --David Brin